Sync from SUSE:SLFO:1.1 pam-config revision 316a707ee1cd3b79cd7b3e7dc9b3151f

_service

@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="changesgenerate">enable</param>
     <param name="filename">pam-config</param>
-    <param name="versionformat">2.13+git.%cd</param>
+    <param name="versionformat">2.11+git.%cd</param>
   </service>
   <service mode="manual" name="recompress">
     <param name="file">*.tar</param>

_servicedata

@@ -2,5 +2,5 @@
 <service name="tar_scm">
                 <param name="url">https://github.com/SUSE/pam-config.git</param>
               
-<param name="changesrevision">f5caa1e70f5af87d7f84e19f7c13ffde1e2cf288</param></service>
+<param name="changesrevision">c328cbfc2b9576a92d32372df03eebef0aefb975</param></service>
 </servicedata>

pam-config.changes

@@ -1,35 +1,9 @@
 -------------------------------------------------------------------
-Tue Jul 15 06:44:03 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+Fri May 16 16:24:57 UTC 2025 - Valentin Lefebvre <valentin.lefebvre@suse.com>
 
-- Update to version 2.13+git.20250715:
-  * Release version 2.13
-  * Place himmelblau near the top of pam stack [bsc#1243418]
-
--------------------------------------------------------------------
-Wed Jun 18 05:28:06 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
-
-- Update to version 2.12+git.20250516:
-  * Don't add pam_env twice
-
--------------------------------------------------------------------
-Fri Apr 11 08:14:08 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
-
-- Update to version 2.12+git.20250411:
-  * Release version 2.12
-  * Call ecryptfs/fscrypt before pam_unix (#30)
-  * Don't exit with error if admin disabled pam-config
-
--------------------------------------------------------------------
-Wed Sep 11 13:54:08 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
-
-- Add PreRequires for pam-extra, several other packages depend on
-  that pam_limits is installed and enabled by default
-
--------------------------------------------------------------------
-Wed Sep 11 07:58:07 UTC 2024 - kukuk@suse.com
-
-- Update to version 2.11+git.20240911:
-  * Only add pam_limits if available
+- Stop adding pam_env in AUTH stack, and be sure to put this module at the
+  really end of the SESSION stack.
+  [bsc#1243226, CVE-2025-6018, remove-pam_env-from-auth-stack.patch]
 
 -------------------------------------------------------------------
 Fri Sep 06 08:20:00 UTC 2024 - kukuk@suse.com

pam-config.spec

@@ -17,7 +17,7 @@
 
 
 Name:           pam-config
-Version:        2.13+git.20250715
+Version:        2.11+git.20240906
 Release:        0
 Summary:        Utility to modify common PAM configuration files
 License:        GPL-2.0-only
@@ -26,11 +26,12 @@ URL:            https://github.com/SUSE/pam-config
 Source:         %{name}-%{version}.tar.xz
 # Do not show some rpmlint errors.
 Source1:        pam-config-rpmlintrc
+# PATCH-FIX-UPSTREAM
+Patch0:         remove-pam_env-from-auth-stack.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  docbook-xsl-stylesheets
 PreReq:         pam >= 1.3.0
-PreReq:         pam-extra
 Recommends:     pam_pwquality
 
 %description
@@ -42,6 +43,7 @@ add/adjust/remove other PAM modules and their options.
 
 %prep
 %setup -q
+%patch 0 -p1
 
 %build
 ./autogen.sh

remove-pam_env-from-auth-stack.patch

@@ -0,0 +1,60 @@
+diff --git a/src/mod_pam_env.c b/src/mod_pam_env.c
+index b280789..2d04391 100644
+--- a/src/mod_pam_env.c
++++ b/src/mod_pam_env.c
+@@ -38,9 +38,6 @@ write_config_env (pam_module_t * this, enum write_type op, FILE * fp)
+ 
+   switch (op)
+     {
+-    case AUTH:
+-      fprintf (fp, "auth\trequired\tpam_env.so\t");
+-      break;
+     case SESSION:
+       fprintf (fp, "session\toptional\tpam_env.so\t");
+       break;
+diff --git a/src/pam-config.c b/src/pam-config.c
+index 29b34ef..0d97b5a 100644
+--- a/src/pam-config.c
++++ b/src/pam-config.c
+@@ -1059,8 +1059,6 @@ main (int argc, char *argv[])
+       if (sanitize_check_account (common_module_list, 0) != 0)
+	return 1;
+ 
+-      opt_set = mod_pam_unix.get_opt_set (&mod_pam_env, AUTH);
+-      opt_set->enable (opt_set, "is_enabled", TRUE);
+       opt_set = mod_pam_unix.get_opt_set (&mod_pam_unix, AUTH);
+       opt_set->enable (opt_set, "is_enabled", TRUE);
+       if (sanitize_check_auth (common_module_list, 0) != 0)
+diff --git a/src/supported-modules.h b/src/supported-modules.h
+index 5067db8..bf7b4ba 100644
+--- a/src/supported-modules.h
++++ b/src/supported-modules.h
+@@ -121,7 +121,6 @@ static pam_module_t *module_list_account[] = {
+ };
+ 
+ static pam_module_t *module_list_auth[] = {
+-  &mod_pam_env,
+   &mod_pam_faildelay,
+   &mod_pam_group,
+   &mod_pam_pkcs11,
+@@ -195,10 +194,10 @@ static pam_module_t *module_list_session[] = {
+   &mod_pam_gnome_keyring,
+   &mod_pam_kwallet5,
+   &mod_pam_exec,
+-  &mod_pam_env,
+   &mod_pam_mktemp,
+   &mod_pam_himmelblau,
+   &mod_pam_kanidm,
++  &mod_pam_env,
+   NULL
+ };
+ 
+@@ -224,8 +223,8 @@ static pam_module_t *module_list_session_nl[] = {
+   &mod_pam_gnome_keyring,
+   &mod_pam_kwallet5,
+   &mod_pam_exec,
+-  &mod_pam_env,
+   &mod_pam_mktemp,
++  &mod_pam_env,
+   NULL
+ };